k8s-security-policies
Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
79
68%
Does it follow best practices?
Impact
95%
1.21xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./tests/ext_conformance/artifacts/agents-wshobson/kubernetes-operations/skills/k8s-security-policies/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly identifies its domain (Kubernetes security), lists specific capabilities (NetworkPolicy, PodSecurityPolicy, RBAC), and provides explicit trigger guidance via a 'Use when' clause. It uses proper third-person voice and includes natural keywords that users would employ when seeking help with Kubernetes security. One minor note is that PodSecurityPolicy is deprecated in favor of Pod Security Standards, but the description does mention 'pod security standards' in the trigger clause.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security.' These are specific, named Kubernetes resources and concepts. | 3 / 3 |
Completeness | Clearly answers both what ('Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC') and when ('Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards') with an explicit 'Use when' clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Kubernetes', 'security policies', 'NetworkPolicy', 'PodSecurityPolicy', 'RBAC', 'network isolation', 'pod security standards', 'securing Kubernetes clusters'. Good coverage of both specific resource names and broader concepts. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Kubernetes security specifically, with distinct triggers like NetworkPolicy, PodSecurityPolicy, RBAC, and pod security standards. Unlikely to conflict with general Kubernetes skills or general security skills due to the specific intersection of both domains. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides comprehensive, executable YAML examples covering a wide range of Kubernetes security topics, which is its primary strength. However, it reads as a reference catalog rather than an actionable skill—there's no workflow guiding the user through implementation order, validation, or rollback. The content is also excessively verbose, with redundant examples and sections that explain concepts Claude already knows (compliance framework bullet points, best practices lists).
Suggestions
Add a clear implementation workflow with sequenced steps (e.g., 1. Apply default-deny NetworkPolicy, 2. Validate with kubectl describe, 3. Add allow rules, 4. Test connectivity) including validation checkpoints and rollback guidance.
Consolidate the three nearly-identical Pod Security Standards examples into one parameterized example with a note about the three levels (privileged/baseline/restricted).
Move the OPA Gatekeeper, Istio, and compliance framework sections to separate reference files and link to them from the main skill.
Remove the 'Purpose', 'When to Use This Skill', and generic 'Best Practices' sections—these add token cost without actionable value Claude doesn't already possess.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300 lines, with significant redundancy. The three Pod Security Standards examples are nearly identical (differing only in one label value). The compliance frameworks section lists generic security advice Claude already knows. The 'When to Use This Skill' and 'Purpose' sections are unnecessary padding. | 1 / 3 |
Actionability | The YAML manifests are complete, copy-paste ready, and cover all major security policy types (NetworkPolicy, RBAC, Pod Security Standards, OPA Gatekeeper, Istio). The troubleshooting section includes executable kubectl commands. | 3 / 3 |
Workflow Clarity | There is no sequenced workflow for implementing security policies. The content is a reference catalog of YAML snippets with no guidance on order of operations, validation steps, or feedback loops. For security-critical operations like RBAC and network policies, missing validation checkpoints is a significant gap. | 1 / 3 |
Progressive Disclosure | References to external files (assets/network-policy-template.yaml, references/rbac-patterns.md) are present and one-level deep, but the main file is monolithic with too much inline content that could be split out. The OPA Gatekeeper and Istio sections could easily be separate reference files. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- Dicklesworthstone/pi_agent_rust
- Commit
6e3d68c
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.